Single Operator Breaches 600 Firewalls Using AI Agents
A lone cybercriminal reportedly used AI models, including DeepSeek and Claude, to breach over 600 FortiGate firewalls across 55 countries in five weeks. The operator orchestrated the attack using a custom Multi-Control-Plane (MCP) server, highlighting the dual-use potential of agentic AI infrastructure for autonomous cyberattacks.
- The custom Multi-Control-Plane (MCP) server likely exploited known vulnerabilities in FortiGate firewalls, such as CVE-2025-59718, which allows authentication bypass, or CVE-2025-25249, a high-severity remote code execution flaw. These vulnerabilities would allow an agent to gain initial access and execute commands. - Agentic AI attacks operate at "machine speed," moving simultaneously across multiple systems, which is a significant shift from the slower, more methodical approach of human attackers. This allows for probing dozens of systems and attempting hundreds of credentials in parallel. - From a governance perspective, frameworks like the NIST AI Risk Management Framework and ISO 42001 are becoming critical for enterprises to demonstrate due diligence in managing AI-related cyber risks. These frameworks provide structured approaches to identifying, measuring, and managing the risks associated with AI systems. - Enterprises are increasingly adopting AI for cyber defense to counter such threats. For example, Capital One uses AI to scan for and classify sensitive financial data, while other firms have reduced analyst workloads by 60% and improved detection rates by using AI copilots in their Security Operations Centers (SOCs). - The venture capital landscape shows a strong focus on AI-powered cybersecurity, with Q1 2025 funding reaching $2.7 billion, a 29% increase from the previous quarter. Top VCs are heavily backing startups in agentic AI for security, with a focus on areas like automated security testing and identity management. - The use of a custom MCP server highlights a growing trend of attackers targeting AI infrastructure itself. Vulnerabilities in MCP servers, which connect AI models to external data, can allow for arbitrary code execution, data theft, and manipulation of AI outputs. - The dual-use nature of these AI tools is a key concern for regulators. The same generative AI that can be used for defense, such as Microsoft's Security Copilot which can reduce investigation times by up to 90%, can also be used by attackers to create more sophisticated phishing attacks and malware.
